Stefan Metzmacher

**Name of the Vulnerable Software and Affected Versions** Samba (affected versions not specified) **Description** A path disclosure issue was found in Samba, related to the Spotlight protocol. This issue causes Samba to disclose the server-side absolute path of shares, files, and directories in search query results. A malicious client or an attacker with a targeted RPC request can exploit this flaw to view the disclosed path information. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Samba (affected versions not specified) **Description** A flaw was found in the way Samba implements DCE/RPC. If a client to a Samba server sent a very large DCE/RPC request and chose to fragment it, an attacker could replace later fragments with their own data, bypassing the signature requirements. This could allow a remote attacker to impact data integrity. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Samba versions prior to 4.4.16 Samba versions 4.5.x prior to 4.5.14 Samba versions 4.6.x prior to 4.6.8 Description: The issue is related to the lack of enforcement of "SMB signing" in certain configuration options, allowing a remote attacker to launch a man-in-the-middle attack and retrieve information in plain-text. This enables the attacker to hijack client connections. Recommendations: For Samba versions prior to 4.4.16, update to version 4.4.16 or later. For Samba versions 4.5.x prior to 4.5.14, update to version 4.5.14 or later. For Samba versions 4.6.x prior to 4.6.8, update to version 4.6.8 or later.

Name of the Vulnerable Software and Affected Versions: Samba versions prior to 4.4.16 Samba versions prior to 4.5.14 Samba versions prior to 4.6.8 Description: The issue is related to the lack of signing and encryption requirements for SMB traffic when using DFS redirects. This can be exploited by a remote attacker to perform a man-in-the-middle attack, allowing them to read or alter the traffic. Recommendations: For versions prior to 4.4.16, update to version 4.4.16 or later. For versions prior to 4.5.14, update to version 4.5.14 or later. For versions prior to 4.6.8, update to version 4.6.8 or later.

**Name of the Vulnerable Software and Affected Versions** Samba versions 4.0.0 through 4.5.2 **Description** The issue is related to the incorrect handling of the PAC (Privilege Attribute Certificate) checksum in the implementation of the Kerberos protocol in Samba. This can be exploited by a remote, authenticated attacker to cause the winbindd process to crash using a legitimate Kerberos ticket, potentially leading to privilege elevation. A local service with access to the winbindd privileged pipe can also cause winbindd to cache elevated access permissions, further exacerbating the issue. The vulnerability can result in a denial of service and potentially allow an attacker to gain elevated privileges. **Recommendations** For Samba versions 4.0.0 through 4.5.2, consider restricting access to the winbindd privileged pipe to minimize the risk of exploitation until a patch is available. As a temporary workaround, consider disabling the use of Kerberos tickets in the affected Samba versions until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Samba versions 4.2.14 and earlier, 4.3.11 and earlier, 4.4.5 and earlier Samba versions prior to 4.2.14 Samba versions prior to 4.3.11 Samba versions prior to 4.4.5 **Description** The issue allows man-in-the-middle attackers to bypass a client-signing protection mechanism and consequently spoof SMB2 and SMB3 servers via the `SMB2 SESSION FLAG IS GUEST` or `SMB2 SESSION FLAG IS NULL` flag. This is related to a function in `libcli/smb/smbXcli base.c` that is associated with inadequate access control. The exploitation of this issue may enable a remote attacker to substitute SMB2 and SMB3 server protocols using the `SMB2 SESSION FLAG IS GUEST` or `SMB2 SESSION FLAG IS NULL` flags. **Recommendations** For Samba versions prior to 4.2.14, update to version 4.2.14 or later. For Samba versions prior to 4.3.11, update to version 4.3.11 or later. For Samba versions prior to 4.4.5, update to version 4.4.5 or later. As a temporary workaround, consider restricting access to the `libcli/smb/smbXcli base.c` function until a patch is available. Avoid using the `SMB2 SESSION FLAG IS GUEST` or `SMB2 SESSION FLAG IS NULL` flags in the affected API endpoints until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Samba versions 3.x through 4.1.x Samba versions 4.2.x through 4.2.10 Samba versions 4.3.x through 4.3.7 Samba versions 4.4.x through 4.4.1 **Description** The issue is related to the MS-SAMR and MS-LSAD protocol implementations in Samba, which do not handle DCERPC connections correctly. This allows man-in-the-middle attackers to perform protocol-downgrade attacks and impersonate users by modifying the client-server data stream. The vulnerability can be exploited to gain access to confidential data, disrupt data integrity, and cause a denial of service. The issue is also known as "BADLOCK". **Recommendations** For Samba versions 3.x, update to version 4.2.11 or later. For Samba versions 4.2.x, update to version 4.2.11 or later. For Samba versions 4.3.x, update to version 4.3.8 or later. For Samba versions 4.4.x, update to version 4.4.2 or later. As a temporary workaround, consider restricting access to the DCERPC connections to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Samba versions 3.x and 4.x before 4.1.22 Samba versions 4.2.x before 4.2.7 Samba versions 4.3.x before 4.3.3 **Description** The issue is related to a lack of input validation in the Samba package, specifically in components clidfs.c, libsmb server.c, and smbXcli base.c. This allows a remote attacker to impact data integrity. The vulnerability is also related to Samba supporting connections that are encrypted but unsigned, which enables man-in-the-middle attackers to conduct encrypted-to-unencrypted downgrade attacks by modifying the client-server data stream. **Recommendations** For Samba versions 3.x and 4.x before 4.1.22, update to version 4.1.22 or later to resolve the issue. For Samba versions 4.2.x before 4.2.7, update to version 4.2.7 or later to resolve the issue. For Samba versions 4.3.x before 4.3.3, update to version 4.3.3 or later to resolve the issue. As a temporary workaround, consider disabling the use of encrypted but unsigned connections to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Samba versions 4.2.11 and earlier, 4.3.8 and earlier, 4.4.2 and earlier **Description** The issue is related to the SMB1 protocol implementation, which does not properly handle security settings, allowing for potential data integrity issues. This could be exploited by remote attackers to impact data integrity. **Recommendations** For versions 4.2.11 and earlier, update to version 4.2.11 or later. For versions 4.3.8 and earlier, update to version 4.3.8 or later. For versions 4.4.2 and earlier, update to version 4.4.2 or later.

**Name of the Vulnerable Software and Affected Versions** Samba versions 3.x and earlier Samba versions 4.1.x through 4.2.10 Samba versions 4.3.x through 4.3.7 Samba versions 4.4.x through 4.4.1 **Description** The issue is related to the lack of required SMB signing within a DCERPC session over `ncacn np`, allowing man-in-the-middle attackers to spoof SMB clients by modifying the client-server data stream. This vulnerability is associated with security shortcomings in the `ncacn np` function of the Samba network interaction package, which can be exploited by a remote attacker to impact data integrity. **Recommendations** For Samba versions 3.x and earlier, update to version 4.2.11 or later. For Samba versions 4.1.x through 4.2.10, update to version 4.2.11 or later. For Samba versions 4.3.x through 4.3.7, update to version 4.3.8 or later. For Samba versions 4.4.x through 4.4.1, update to version 4.4.2 or later.

**Name of the Vulnerable Software and Affected Versions** Samba versions 4.2.11 and earlier, 4.3.8 and earlier, 4.4.2 and earlier **Description** The issue is related to weaknesses in the cryptographic protection mechanism of the Samba network interaction package. This can allow a remote attacker to access and compromise confidential data. The problem arises because Samba does not verify X.509 certificates from TLS servers, enabling man-in-the-middle attackers to spoof LDAPS and HTTPS servers and obtain sensitive information via a crafted certificate. **Recommendations** For versions 4.2.11 and earlier, update to version 4.2.11 or later. For versions 4.3.8 and earlier, update to version 4.3.8 or later. For versions 4.4.2 and earlier, update to version 4.4.2 or later.

**Name of the Vulnerable Software and Affected Versions** Samba versions 3.x through 4.4.1 Samba versions 4.3.x through 4.3.7 Samba versions 4.2.x through 4.2.10 **Description** The issue is related to a weakness in the security elements of the LDAP library in the Samba network interaction software package. This weakness can be exploited by a remote attacker to impact data integrity. Specifically, the bundled LDAP client library does not recognize the `client ldap sasl wrapping` setting, allowing man-in-the-middle attackers to perform LDAP protocol-downgrade attacks by modifying the client-server data stream. **Recommendations** For Samba versions 3.x through 4.4.1, update to version 4.4.2 or later. For Samba versions 4.3.x through 4.3.7, update to version 4.3.8 or later. For Samba versions 4.2.x through 4.2.10, update to version 4.2.11 or later. As a temporary workaround, consider disabling the LDAP client library until a patch is available. Restrict access to the vulnerable LDAP protocol to minimize the risk of exploitation. Avoid using the `client ldap sasl wrapping` setting in the affected Samba configuration until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Samba versions 3.x through 4.1.x Samba versions 4.2.0 through 4.2.10 Samba versions 4.3.0 through 4.3.7 Samba versions 4.4.0 through 4.4.1 **Description** The issue is related to the NTLMSSP authentication implementation, allowing man-in-the-middle attackers to perform protocol-downgrade attacks. This can be achieved by modifying the client-server data stream to remove application-layer flags or encryption settings, such as clearing the `NTLMSSP NEGOTIATE SEAL` or `NTLMSSP NEGOTIATE SIGN` option, which can disrupt LDAP security. The vulnerability is associated with security weaknesses in the Samba package, potentially allowing a remote attacker to impact data integrity. **Recommendations** For Samba versions 3.x, update to version 4.2.11 or later. For Samba versions 4.2.x, update to version 4.2.11 or later. For Samba versions 4.3.x, update to version 4.3.8 or later. For Samba versions 4.4.x, update to version 4.4.2 or later.

**Name of the Vulnerable Software and Affected Versions** Samba versions 3.x through 3.6.21 Samba versions 4.0.x through 4.0.12 Samba versions 4.1.x through 4.1.2 **Description** The issue allows remote AD domain controllers to execute arbitrary code via an invalid fragment length in a DCE-RPC packet. This is due to a heap-based buffer overflow in the `dcerpc read ncacn packet done` function in `librpc/rpc/dcerpc util.c` in `winbindd`. **Recommendations** For Samba versions 3.x through 3.6.21, update to version 3.6.22 or later. For Samba versions 4.0.x through 4.0.12, update to version 4.0.13 or later. For Samba versions 4.1.x through 4.1.2, update to version 4.1.3 or later.

**Name of the Vulnerable Software and Affected Versions** Samba versions 4.0.x through 4.0.10 Samba versions 4.1.x through 4.1.0 **Description** The issue is related to insufficient cryptographic protection mechanisms in Samba, allowing local users to obtain sensitive information. When LDAP or HTTP is provided over SSL, Samba uses world-readable permissions for a private key, enabling access to the key file and potentially allowing attackers to obtain confidential data. **Recommendations** For Samba versions 4.0.x through 4.0.10, update to version 4.0.11 or later. For Samba versions 4.1.x through 4.1.0, update to version 4.1.1 or later.